In 1993, Peter Steiner famously wrote in the New Yorker that, "on the Internet, nobody knows you're a dog." In 2011, trillions of dollars in e-commerce transactions and a growing number of other interactions have made knowing that someone is not only human, but a particular individual, increasingly important.” Radar O’Reilly.
According to the White House Blog Post of October 14, 2011, Google, PayPal and Equifax are the first three official, federally credentialed, Identity Providers of the NSTICs (National Strategy for Trusted Identities in Cyberspace) Identity Ecosystem. Meh, you say, what the heck does that mean and why should I care?
Well hopefully today we can shed a little light on exactly what the NSTIC is, how it is being used, and why it (hopefully) matters to you.
Why Did The NSTIC Emerge?
The NSTIC arose out of the perceived need to create a more secure and frictionless space (read: no passwords) for online interactions and transactions, especially in the areas of e-commerce and government. The NSTIC was formed with the hopes of abolishing passwords, verifying your identity through trusted identity providers and away you go, no log-ins, no fuss, and no muss.
Well that is the simplified version. The full version of the NSTIC can be found here, though make sure you have settled in for a full day of reading and following up on references. Obviously, we will not go over everything it contains, but trust me, you will not be bored!
Hmm Curious? Innovation stopped because of having to log in? Really?
What Is The NSTIC?
The NSTIC is a government strategy that is guiding the development of the “Trust Framework” and the “Identity Ecosystem”.
The Trust Framework is that framework which all Identity Providers, private (federally credentialed) companies, will operate. It sets out rules, procedures and a network of peers that will peer-regulate the others in the framework.
The Identity Ecosystem is the process and protocols in which the identities, yours and mine, will be held. It governs the transaction of your identity across providers and third parties who interact with your identity. It also will define the systems that will be utilized and how credentials will be passed between user and 3rd party, allowing for the ID Provider to act as the intermediary to confirm the trustworthiness of the individual.
Because the government is governed by such legislation as the Privacy Act of 1974, it would not be able to secure and authenticate individual identities without significant changes to our existing laws, so an Identity Provider would be a private corporation. Because it would be a poor choice economically and for security to have only one provider, there will be many Identity Providers that users can select from to act as their intermediary.
Note that ALL private and government agencies participating in the NSTIC would be required to follow the FIPPs Standards to be credentialed. These are based on the Privacy Act of 1974, but that can only be applied to Federal agencies.
These agencies then will be given Trustmarks, along with accredited third party recipients. A Trustmark is “a badge, seal, image or logo that indicates a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. To maintain Trustmark integrity, the Trustmark itself must be resistant to tampering and forgery; participants should be able to both visually and electronically validate its authenticity. The Trustmark provides a visible symbol to serve as an aid for citizens and organizations to make informed choices about the providers and identity media they use.”
In the Identity Ecosystem and Trust Framework, Trustmarks serve almost the same purpose as say a VeriSign would for a website now, with the exception that without a Trustmark you would not be able to engage in the Ecosystem and with any person or corporation that was requiring Identity System credentials from users.
On the individual user level this concept of a Trustmark is handled with an “Information Card”. An Information Card might be a combination of the data you would find in your Driver’s License and your Credit Card and would assist in verifying you to your Identity Provider.
Again this is a simplified version, for a more detailed understanding visit the NIST Site on the NSTIC.
Privacy, The NSTIC and You.
The NSTIC claims the new Trust Framework and Identity Ecosystem will be privacy enhancing and retain your anonymity. However, if you read the documents carefully you will see this “privacy” is only in relation to the data shared between you and a third party, it does not state that the data the Identity Provider holds is more private or more anonymous.
Well it is hard to say, but does seem the NSTIC documents goes to great lengths to NEVER address the actual database functionality at the transactional level. Why do I say this? Because I have read more than thirty of them and they all write in glowing language about how your ID is protected at the third party level, but do not how the data is stored and processed at the Identity Provider level. That was until I ran across the precursor documentation pages 190-191 ( in the PDF) Who Goes There? Authentication Through the Lens of Privacy. Stop by and take a read, it is enlightening. Or just wait for my next article!
So How Does The Identity Process Work?
How does the actual Identity Transaction work? After all, someone, somewhere HAS TO BE holding all that data, right? Yes, someone is, your Identity Provider holds all your data, certificates of trust and information. That is then exchanged with limited amounts of data from your data profile with 3rd parties, so you may perform transactions using the authenticated profile from your Identity Provider and the 3rd party site.
The risk is that ID Provider who is authenticating your data is also able to then de-anonymize your data to discover who did what, when, where and why. Now you ask, why would they do that? Or you may say, meh, I am not doing anything wrong, why should I care?
Well first I would say to you and the naysayers… no matter who has held your information or data online before, no one has ever held it in aggregate before, like this, just one huge data carrot.
Have you ever watched a great mystery show where they have to go from clue to clue to put all the pieces together? That is how it is today. In the NSTIC world, that data is all held in one or a few Identity Provider databases with all your online activities of ANY SITE that participates in the NSTIC online authentication system and maybe even outside of that (have you heard of the Facebook tracking cookie that logs your visits to sites AFTER YOU LOG-OUT of Facebook?).
I Don’t Care I Don’t Do Anything Wrong!
Well, to that I would say to ask the three Wikileaks Volunteers who were turned into authorities after their Google accounts were searched without their knowledge because the Federal Government requested access (no subpoena needed), or the new search Facebook is allowing employers to have access to, the one that allows them to search not just you, but EVERYONE in your profile.
One only has to go to the EFF (EFF.org) to know that the laws around privacy in cyberspace are weak and unspecified in most cases. In these cases your data is kept in a third party database, so it can be accessed at the will of the company. And if you say it has nothing to do with you, I am sure that is true – oh wait - you have paid for all those downloads in your music files right?
The Identity Ecosystem, The FTC and You.
So what does the Data Collection System look like? How does the government see you and your data in this new Ecosystem? Here is a draft from the FTC of how it sees your role in the data collection process. Ironically, you seem so large, until you get to the second image where you suddenly seem to be swarmed by entities and tiny.
So let’s take a look at the charts.
First are the Data Collectors
Now We Have The Data Users (OUTSIDE RING)
And in between the Data Brokers
Notice in the second image, the presence of government, law enforcement and oddly enough marketers. Marketers? Well not that unusual when you consider Google (and at some point Facebook) are two of the Identity Providers, plus others like them. Yes, your data, available to marketers. Now the question will be at whose whim?
So it is all ok, after all if you do not like this idea, the NSTIC documentation stresses that this is voluntary. That in this new Ecosystem the user has to be a willing participant who has volunteered to join. While this sounds great, to volunteer, it has a meaning which means that you have an option to not volunteer, to NOT participate. The question then becomes, “Do you?".
Critics of the NSTIC (and me) argue you do not have the ability to truly be a volunteer. When government agencies especially state, local and federal all move to this system as they are now, you will not be able to interact with it without a proper Ecosystem ID.
Then think about it, what about G+, which as Eric Schmidt of Google himself stated is an Identity Network, not a Social one. Then there is PayPal, Facebook, what happens when your sites become Identity Providers? Sure, I guess you could completely opt out of your online life, but is that really practical? Now according to the NSTIC, there are supposed to be alternatives for those who don’t want to participate, but there are no laws to force this and for those who do offer the secondary option, for how long will those be maintained?
Good Vs the Bad
So this press release by Identity Finder seemed to be echoed by many in the security community. If implemented WITH NEW Federal Regulations:
If done well, an ideal NSTIC Identity Ecosystem could establish:
- High levels of identity assurance online, increasing trust between Users and service providers
- More secure online transactions
- Innovation and new services
- Improved privacy and anonymity
- Increased convenience for Users and savings for service providers
HOWEVER if..the NSTIC fails to implement the necessary regulations; the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:
- Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
- A false sense of control, privacy, and security among Users
- New ways to covertly collect Users' personal information
- New markets in which to commoditize human identity
- Few consumer protections against abuse or sharing personal information with third parties
- No default legal recourse against participants who abuse personal information without consent
With the establishment of the new credentialed Identity Providers and NO NEW regulations in place, my fear is there have been no steps taken to prevent the second outcome.
It is quite simple, when you put something in a database, and you tie a user to a dataset, even by a unique identifier, somewhere that data is all held together and reverse engineering is not that difficult. Your Identity not being kept with the government, sure, that is a good thing and of course the legal thing. However, is your data, where you go online, how you interact, what you do better kept with private marketing and media companies as illustrated in the FTC image? And what are the legal implications? Now that PayPal is a trusted provider can the government go into your accounts without ever telling you? I don’t know the answer to these questions, yet!